25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Pan-American Life Insurance Group Reports 105,000-Record Data Breach

Posted By on Dec 29, 2023

Pan-American Life Insurance Group, Inc. (PALIG) has recently confirmed that it was one of the victims of the Clop hacking group, which exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution in late May 2023.

PALIG was notified about the vulnerability by Progress Software and immediately disabled to software until the patch could be applied. The patch was applied, and steps were taken to improve the security of its systems. At the same time, an investigation was launched to determine if the vulnerability had been exploited, and that proved to be the case. On October 5, 2023, PALIG determined that files had been removed from the MOVEit server that contained protected health information including names, addresses, Social Security numbers, dates of birth, driver’s license numbers, contact information, medical and medical benefits information, subscriber numbers, certain biometric data, and financial account and credit card information.

PALIG has now notified those individuals and has offered complimentary credit monitoring services. PALIG has also confirmed that steps have been taken to further improve security and ensure the security of third-party transfer tools.

The breach has been reported to the HHS’ Office for Civil Rights as two incidents, one affecting health plan members (105,387 individuals) and another in its capacity as a business associate (94,807 individuals).

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Bellin Health Notifies Patients About October Cyberattack

Bellin Health has recently announced that an unauthorized third party gained access to its internal systems and may have viewed or acquired the information of patients who purchased home care equipment between 2006 and 2013. Unauthorized activity was detected within its computer systems on October 27, 2023. Its IT security team immediately took steps to contain the activity and launched an investigation to determine the nature and scope of the unauthorized activity.

Assisted by third-party cybersecurity experts, Bellin Health determined that a cyber actor gained access to a folder containing archived scanned documents that contained patient names in combination with one or more of the following: address, phone number, date of birth, and/or health information related to home care equipment. A limited number of documents also included Social Security numbers.

Bellin Health said it has strengthened system security and will continue investing in cybersecurity. The breach was reported to the HHS’ Office for Civil Rights as affecting 20,790 individuals. Patients whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services.

Clay County, Minnesota Suffered a Ransomware Attack in October

Clay County in Minnesota announced on December 22, 2023, that it fell victim to a ransomware attack in October. The unauthorized activity was detected in its electronic document management system on October 27, 2023, and the forensic investigation revealed there had been unauthorized access between October 23, 2023, and October 26, 2023, when ransomware was used to encrypt files.

The investigation confirmed that access had been gained to names in combination with one or more of the following: address, date of birth, Social Security number, information regarding services provided by Clay County Social Services (locations of service, dates of service, client identification number or unique identifier), insurance identification number, and insurance or billing information.

Clay County officials confirmed that they have taken several steps to improve security, including implementing multifactor authentication for remote access to the compromised CaseWorks application, updating procedures for external access by vendors, implementing tools to enhance detection and accelerate the response to cyber incidents, and implementing enhanced technical security measures for the CaseWorks application.

The incident has been reported to the HHS’ Office for Civil Rights by Clay County Social Services as affecting 22,005 individuals.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist